The CMS final rule states: “An MA organization must provide in an easily accessible location on its public website and through other appropriate mechanisms through which it ordinarily communicates with current and former enrollees seeking to access their health information held by the MA organization, educational resources in non-technical, simple and easy-to-understand language." Therefore, providing member educational materials is outside the scope of this IG and the responsibility of each payer. Although it’s outside the scope of the IG, the CARIN Alliance is encouraging payers to have applications self-attest to the CARIN Code of Conduct to ensure there is consistency in how apps are getting informed, proactive consent from members and consistency in how apps use, share, and store a member’s health information. The IG will be updated to provide this narrative: The cms patient-privacy-and-security-resources  directs that payers must educate patients about sharing their health information with third parties Among the patient disclosures, plans are encouraged to provide information on: How an individual can safeguard their online privacy; and Factors to consider when choosing a consumer-facing application. How a consumer can submit complaints to the Office of Civil Rights (OCR) or the Federal Trade Commission (FTC); CMS cites the CARIN Alliance Code of Conduct and the ONC Model Privacy Notice as best practices to meet these needs. Payers may not limit access to information for a patient through an application that fails to voluntarily attest to specific statements or if an enrollee chooses to disregard warnings about data use. The implementation date is January 1, 2021.  Patient education is out of scope for this Implementation Guide.